@dudousxd/nestjs-authz 0.2.0 → 0.4.0

package/dist/gate.js

@@ -12,9 +12,11 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
 };
 import { ForbiddenException, Inject, Injectable, Optional } from '@nestjs/common';
 import { ModuleRef } from '@nestjs/core';
+import { publishAuthzDecision } from './diagnostics.js';
 import { AbilityNotResolvedException, AmbiguousAbilityException } from './errors/exceptions.js';
 import { PolicyRegistry } from './policy-registry.js';
-import { AUTHZ_MODULE_OPTIONS, CONTEXT_ACCESSOR, PERMISSION_PROVIDER } from './tokens.js';
+import { defaultRoleResolver } from './role-provider.js';
+import { AUTHZ_MODULE_OPTIONS, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, ROLE_PROVIDER, } from './tokens.js';
 // A sentinel marking "no user resolved" distinct from a legitimately-`undefined`
 // user. `forUser(undefined)` explicitly authorizes an anonymous user.
 const NO_USER = Symbol('authz:no-user');
@@ -34,16 +36,20 @@ let Gate = class Gate {
     context;
     moduleRef;
     permissionProvider;
+    roleProvider;
     gates = new Map();
     superAdmin;
     resolveUser;
-    constructor(policies, options, context, moduleRef, permissionProvider) {
+    roleResolver;
+    constructor(policies, options, context, moduleRef, permissionProvider, roleProvider) {
         this.policies = policies;
         this.context = context;
         this.moduleRef = moduleRef;
         this.permissionProvider = permissionProvider;
+        this.roleProvider = roleProvider;
         this.superAdmin = options?.superAdmin;
         this.resolveUser = options?.resolveUser;
+        this.roleResolver = options?.resolveRoles ?? defaultRoleResolver;
     }
     /**
      * Locate the context accessor. Prefers the value injected into this module;
@@ -79,6 +85,23 @@ let Gate = class Gate {
             return undefined;
         }
     }
+    /**
+     * Locate the optional {@link RoleProvider} (the coarse role seam). Prefers the value
+     * injected into this module; falls back to a non-strict {@link ModuleRef} lookup so a
+     * provider registered by ANY module (e.g. the RBAC adapter's global module) is found.
+     */
+    resolveRoleProvider() {
+        if (this.roleProvider)
+            return this.roleProvider;
+        if (!this.moduleRef)
+            return undefined;
+        try {
+            return this.moduleRef.get(ROLE_PROVIDER, { strict: false });
+        }
+        catch {
+            return undefined;
+        }
+    }
     /** Register an ad-hoc, model-less gate resolved by `ability` name. */
     define(ability, fn) {
         this.gates.set(ability, fn);
@@ -88,6 +111,14 @@ let Gate = class Gate {
     hasGate(ability) {
         return this.gates.has(ability);
     }
+    /**
+     * Names of every ad-hoc gate registered via {@link define}. Used by integrations
+     * (e.g. `@dudousxd/nestjs-authz-inertia`) that enumerate the user's class-level
+     * abilities to share them as Inertia props — no network round-trip needed.
+     */
+    gateNames() {
+        return [...this.gates.keys()];
+    }
     /**
      * Bind an explicit user, bypassing the context accessor. Use when no
      * nestjs-context is wired, or to check a user other than the current one.
@@ -131,19 +162,81 @@ let Gate = class Gate {
             throw new ForbiddenException(`Unauthorized: ${ability}`);
         }
     }
+    // --- coarse role checks (operate on the current/context user) ---
+    /** True when the current user holds `role`. */
+    async hasRole(role) {
+        return this.checkRoles(await this.currentUser(), [role]);
+    }
+    /** True when the current user holds ANY of `roles`. */
+    async hasAnyRole(roles) {
+        return this.checkRoles(await this.currentUser(), roles);
+    }
     // --- internal: used by BoundGate too ---
     /** @internal */
     allowsForUser(user, ability, resource) {
         return this.check(user, ability, resource);
     }
+    /** @internal */
+    hasAnyRoleForUser(user, roles) {
+        return this.checkRoles(user, roles);
+    }
+    /**
+     * Resolve the user's effective roles and test membership against `roles`. Returns
+     * `false` for an anonymous (NO_USER) caller and whenever no source yields a role
+     * (deny-by-default). Roles come from the UNION of the default/overridden
+     * {@link RoleResolver} (reads the user object) and the optional {@link RoleProvider}
+     * seam (a persisted store) — so an app needs neither to opt in.
+     */
+    async checkRoles(maybeUser, roles) {
+        if (maybeUser === NO_USER || roles.length === 0)
+            return false;
+        const userRoles = await this.rolesOf(maybeUser);
+        if (userRoles.size === 0)
+            return false;
+        return roles.some((r) => userRoles.has(r));
+    }
+    /** The current user's effective role names (resolver ∪ provider). */
+    async rolesOf(user) {
+        const out = new Set();
+        const fromResolver = await this.roleResolver(user);
+        if (Array.isArray(fromResolver)) {
+            for (const r of fromResolver)
+                if (typeof r === 'string')
+                    out.add(r);
+        }
+        const provider = this.resolveRoleProvider();
+        if (provider) {
+            const fromProvider = await provider.getRoles(user);
+            if (Array.isArray(fromProvider)) {
+                for (const r of fromProvider)
+                    if (typeof r === 'string')
+                        out.add(r);
+            }
+        }
+        return out;
+    }
     async check(maybeUser, ability, resource) {
+        const { allowed, reason } = await this.resolve(maybeUser, ability, resource);
+        // Emit the decision for observers (e.g. the telescope authorization watcher).
+        // Loosely coupled via a diagnostics channel — zero-overhead when no subscriber,
+        // and a publish failure can never affect the verdict. Only reached decisions are
+        // emitted; an unresolved/ambiguous ability throws above and is intentionally silent.
+        publishAuthzDecision(ability, allowed, reason, maybeUser === NO_USER ? undefined : maybeUser, resource);
+        return allowed;
+    }
+    /**
+     * Resolve an ability to a verdict plus the path that decided it. Throws
+     * {@link AbilityNotResolvedException}/{@link AmbiguousAbilityException} when no
+     * decision can be reached (those paths emit no decision).
+     */
+    async resolve(maybeUser, ability, resource) {
         const user = maybeUser === NO_USER ? undefined : maybeUser;
         // Global super-admin hook first.
         const sa = await this.superAdmin?.(user, ability);
         if (sa === true)
-            return true;
+            return { allowed: true, reason: 'super-admin' };
         if (sa === false)
-            return false;
+            return { allowed: false, reason: 'super-admin' };
         // RBAC seam (Laravel/spatie `Gate::before` grant): if a PermissionProvider is
         // registered and the (authenticated) user holds the named permission, grant it.
         // Grant-only — a `false`/`undefined` result falls through to normal resolution,
@@ -153,7 +246,7 @@ let Gate = class Gate {
             if (provider) {
                 const granted = await provider.hasPermission(user, ability, resource);
                 if (granted === true)
-                    return true;
+                    return { allowed: true, reason: 'permission-provider' };
             }
         }
         const policy = this.resolvePolicy(ability, resource);
@@ -168,22 +261,23 @@ let Gate = class Gate {
                 if (typeof before === 'function') {
                     const result = await before.call(policy, user, ability);
                     if (result === true)
-                        return true;
+                        return { allowed: true, reason: 'policy-before' };
                     if (result === false)
-                        return false;
+                        return { allowed: false, reason: 'policy-before' };
                 }
                 // Anonymous users are denied unless a hook granted access above.
                 if (maybeUser === NO_USER)
-                    return false;
-                return Boolean(await method.call(policy, user, resource));
+                    return { allowed: false, reason: 'anonymous' };
+                const allowed = Boolean(await method.call(policy, user, resource));
+                return { allowed, reason: 'policy' };
             }
         }
         // Fall back to an ad-hoc gate.
         const gate = this.gates.get(ability);
         if (gate) {
             if (maybeUser === NO_USER)
-                return false;
-            return Boolean(await gate(user, resource));
+                return { allowed: false, reason: 'anonymous' };
+            return { allowed: Boolean(await gate(user, resource)), reason: 'gate' };
         }
         throw new AbilityNotResolvedException(ability);
     }
@@ -219,7 +313,9 @@ Gate = __decorate([
     __param(3, Optional()),
     __param(4, Optional()),
     __param(4, Inject(PERMISSION_PROVIDER)),
-    __metadata("design:paramtypes", [PolicyRegistry, Object, Object, ModuleRef, Object])
+    __param(5, Optional()),
+    __param(5, Inject(ROLE_PROVIDER)),
+    __metadata("design:paramtypes", [PolicyRegistry, Object, Object, ModuleRef, Object, Object])
 ], Gate);
 export { Gate };
 /**
@@ -243,5 +339,13 @@ export class BoundGate {
             throw new ForbiddenException(`Unauthorized: ${ability}`);
         }
     }
+    /** True when the bound user holds `role`. */
+    hasRole(role) {
+        return this.gate.hasAnyRoleForUser(this.user, [role]);
+    }
+    /** True when the bound user holds ANY of `roles`. */
+    hasAnyRole(roles) {
+        return this.gate.hasAnyRoleForUser(this.user, roles);
+    }
 }
 //# sourceMappingURL=gate.js.map

package/dist/gate.js.map

@@ -1 +1 @@
-{"version":3,"file":"gate.js","sourceRoot":"","sources":["../src/gate.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAa,MAAM,gBAAgB,CAAC;AAC7F,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,2BAA2B,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAEhG,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAW1F,iFAAiF;AACjF,sEAAsE;AACtE,MAAM,OAAO,GAAG,MAAM,CAAC,eAAe,CAAC,CAAC;AAGxC;;;;;;;;;;GAUG;AAEI,IAAM,IAAI,GAAV,MAAM,IAAI;IAMI;IAMA;IAEA;IAGA;IAhBF,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IAClC,UAAU,CAA6B;IACvC,WAAW,CAAoC;IAEhE,YACmB,QAAwB,EAGzC,OAAuC,EAGtB,OAAyB,EAEzB,SAAqB,EAGrB,kBAAuC;QAXvC,aAAQ,GAAR,QAAQ,CAAgB;QAMxB,YAAO,GAAP,OAAO,CAAkB;QAEzB,cAAS,GAAT,SAAS,CAAY;QAGrB,uBAAkB,GAAlB,kBAAkB,CAAqB;QAExD,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,UAAU,CAAC;QACtC,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,WAAW,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACK,cAAc;QACpB,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC,OAAO,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,SAAS,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAkB,gBAAgB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAClF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,yBAAyB;QAC/B,IAAI,IAAI,CAAC,kBAAkB;YAAE,OAAO,IAAI,CAAC,kBAAkB,CAAC;QAC5D,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,SAAS,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAqB,mBAAmB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACxF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,sEAAsE;IACtE,MAAM,CAAC,OAAe,EAAE,EAAU;QAChC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,4DAA4D;IAC5D,OAAO,CAAC,OAAe;QACrB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;;;;OASG;IACH,OAAO,CAAC,IAAU;QAChB,OAAO,IAAI,SAAS,CAAC,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC5D,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,WAAW;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACtC,IAAI,CAAC,OAAO;YAAE,OAAO,OAAO,CAAC;QAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;QAC9B,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,OAAO,CAAC;QACtC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,GAAc,CAAC,CAAC;YACxD,OAAO,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC/C,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,4DAA4D;IAE5D,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,QAAmB;QAClD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,kBAAkB,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,0CAA0C;IAE1C,gBAAgB;IAChB,aAAa,CAAC,IAAe,EAAE,OAAe,EAAE,QAAmB;QACjE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAEO,KAAK,CAAC,KAAK,CACjB,SAAoB,EACpB,OAAe,EACf,QAAmB;QAEnB,MAAM,IAAI,GAAS,SAAS,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAEjE,iCAAiC;QACjC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAClD,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC7B,IAAI,EAAE,KAAK,KAAK;YAAE,OAAO,KAAK,CAAC;QAE/B,8EAA8E;QAC9E,gFAAgF;QAChF,gFAAgF;QAChF,yEAAyE;QACzE,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAClD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;gBACtE,IAAI,OAAO,KAAK,IAAI;oBAAE,OAAO,IAAI,CAAC;YACpC,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,MAAM,GAAI,MAAkC,CAAC,OAAO,CAAC,CAAC;YAC5D,2EAA2E;YAC3E,uEAAuE;YACvE,yEAAyE;YACzE,4DAA4D;YAC5D,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;gBACjC,MAAM,MAAM,GAAI,MAAyB,CAAC,MAAsC,CAAC;gBACjF,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;oBACjC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;oBACxD,IAAI,MAAM,KAAK,IAAI;wBAAE,OAAO,IAAI,CAAC;oBACjC,IAAI,MAAM,KAAK,KAAK;wBAAE,OAAO,KAAK,CAAC;gBACrC,CAAC;gBACD,iEAAiE;gBACjE,IAAI,SAAS,KAAK,OAAO;oBAAE,OAAO,KAAK,CAAC;gBACxC,OAAO,OAAO,CAAC,MAAO,MAAuC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;YAC9F,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,SAAS,KAAK,OAAO;gBAAE,OAAO,KAAK,CAAC;YACxC,OAAO,OAAO,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,IAAI,2BAA2B,CAAC,OAAO,CAAC,CAAC;IACjD,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,QAAmB;QACxD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,yEAAyE;YACzE,uEAAuE;YACvE,0EAA0E;YAC1E,qEAAqE;YACrE,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ;iBAC1B,GAAG,EAAE;iBACL,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,OAAQ,MAAkC,CAAC,OAAO,CAAC,KAAK,UAAU,CAAC,CAAC;YAC1F,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC3C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,yBAAyB,CACjC,OAAO,EACP,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAoB,CAAC,WAAW,EAAE,IAAI,IAAI,QAAQ,CAAC,CACxE,CAAC;YACJ,CAAC;YACD,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,qFAAqF;QACrF,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAyB,CAAC,CAAC;QAC9D,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC;CACF,CAAA;AApMY,IAAI;IADhB,UAAU,EAAE;IAQR,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,oBAAoB,CAAC,CAAA;IAE5B,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,gBAAgB,CAAC,CAAA;IAExB,WAAA,QAAQ,EAAE,CAAA;IAEV,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,mBAAmB,CAAC,CAAA;qCAVD,cAAc,kBAQZ,SAAS;GAd7B,IAAI,CAoMhB;;AAED;;GAEG;AACH,MAAM,OAAO,SAAS;IAED;IACA;IAFnB,YACmB,IAAU,EACV,IAAe;QADf,SAAI,GAAJ,IAAI,CAAM;QACV,SAAI,GAAJ,IAAI,CAAW;IAC/B,CAAC;IAEJ,MAAM,CAAC,OAAe,EAAE,QAAmB;QACzC,OAAO,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,QAAmB;QAClD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,kBAAkB,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"gate.js","sourceRoot":"","sources":["../src/gate.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAa,MAAM,gBAAgB,CAAC;AAC7F,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAA4B,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAClF,OAAO,EAAE,2BAA2B,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAEhG,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAwC,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC/F,OAAO,EACL,oBAAoB,EACpB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,GACd,MAAM,aAAa,CAAC;AAWrB,iFAAiF;AACjF,sEAAsE;AACtE,MAAM,OAAO,GAAG,MAAM,CAAC,eAAe,CAAC,CAAC;AAGxC;;;;;;;;;;GAUG;AAEI,IAAM,IAAI,GAAV,MAAM,IAAI;IAOI;IAMA;IAEA;IAGA;IAGA;IApBF,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IAClC,UAAU,CAA6B;IACvC,WAAW,CAAoC;IAC/C,YAAY,CAAe;IAE5C,YACmB,QAAwB,EAGzC,OAAuC,EAGtB,OAAyB,EAEzB,SAAqB,EAGrB,kBAAuC,EAGvC,YAA2B;QAd3B,aAAQ,GAAR,QAAQ,CAAgB;QAMxB,YAAO,GAAP,OAAO,CAAkB;QAEzB,cAAS,GAAT,SAAS,CAAY;QAGrB,uBAAkB,GAAlB,kBAAkB,CAAqB;QAGvC,iBAAY,GAAZ,YAAY,CAAe;QAE5C,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,UAAU,CAAC;QACtC,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,WAAW,CAAC;QACxC,IAAI,CAAC,YAAY,GAAG,OAAO,EAAE,YAAY,IAAI,mBAAmB,CAAC;IACnE,CAAC;IAED;;;;OAIG;IACK,cAAc;QACpB,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC,OAAO,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,SAAS,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAkB,gBAAgB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAClF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,yBAAyB;QAC/B,IAAI,IAAI,CAAC,kBAAkB;YAAE,OAAO,IAAI,CAAC,kBAAkB,CAAC;QAC5D,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,SAAS,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAqB,mBAAmB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACxF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,mBAAmB;QACzB,IAAI,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC,YAAY,CAAC;QAChD,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,SAAS,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAe,aAAa,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,sEAAsE;IACtE,MAAM,CAAC,OAAe,EAAE,EAAU;QAChC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,4DAA4D;IAC5D,OAAO,CAAC,OAAe;QACrB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED;;;;OAIG;IACH,SAAS;QACP,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAChC,CAAC;IAED;;;;;;;;;OASG;IACH,OAAO,CAAC,IAAU;QAChB,OAAO,IAAI,SAAS,CAAC,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC5D,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,WAAW;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACtC,IAAI,CAAC,OAAO;YAAE,OAAO,OAAO,CAAC;QAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;QAC9B,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,OAAO,CAAC;QACtC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,GAAc,CAAC,CAAC;YACxD,OAAO,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC/C,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,4DAA4D;IAE5D,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,QAAmB;QAClD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,kBAAkB,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,mEAAmE;IAEnE,+CAA+C;IAC/C,KAAK,CAAC,OAAO,CAAC,IAAY;QACxB,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,uDAAuD;IACvD,KAAK,CAAC,UAAU,CAAC,KAAe;QAC9B,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE,KAAK,CAAC,CAAC;IAC1D,CAAC;IAED,0CAA0C;IAE1C,gBAAgB;IAChB,aAAa,CAAC,IAAe,EAAE,OAAe,EAAE,QAAmB;QACjE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAED,gBAAgB;IAChB,iBAAiB,CAAC,IAAe,EAAE,KAAe;QAChD,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACtC,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,UAAU,CAAC,SAAoB,EAAE,KAAe;QAC5D,IAAI,SAAS,KAAK,OAAO,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,SAAS,CAAC,IAAI,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACvC,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED,qEAAqE;IAC7D,KAAK,CAAC,OAAO,CAAC,IAAU;QAC9B,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;QAC9B,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YAChC,KAAK,MAAM,CAAC,IAAI,YAAY;gBAAE,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACtE,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC5C,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnD,IAAI,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;gBAChC,KAAK,MAAM,CAAC,IAAI,YAAY;oBAAE,IAAI,OAAO,CAAC,KAAK,QAAQ;wBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,KAAK,CAAC,KAAK,CACjB,SAAoB,EACpB,OAAe,EACf,QAAmB;QAEnB,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC7E,8EAA8E;QAC9E,gFAAgF;QAChF,iFAAiF;QACjF,qFAAqF;QACrF,oBAAoB,CAClB,OAAO,EACP,OAAO,EACP,MAAM,EACN,SAAS,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,EAC7C,QAAQ,CACT,CAAC;QACF,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,OAAO,CACnB,SAAoB,EACpB,OAAe,EACf,QAAmB;QAEnB,MAAM,IAAI,GAAS,SAAS,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAEjE,iCAAiC;QACjC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAClD,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QACjE,IAAI,EAAE,KAAK,KAAK;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QAEnE,8EAA8E;QAC9E,gFAAgF;QAChF,gFAAgF;QAChF,yEAAyE;QACzE,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAClD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;gBACtE,IAAI,OAAO,KAAK,IAAI;oBAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;YAChF,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,MAAM,GAAI,MAAkC,CAAC,OAAO,CAAC,CAAC;YAC5D,2EAA2E;YAC3E,uEAAuE;YACvE,yEAAyE;YACzE,4DAA4D;YAC5D,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;gBACjC,MAAM,MAAM,GAAI,MAAyB,CAAC,MAAsC,CAAC;gBACjF,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;oBACjC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;oBACxD,IAAI,MAAM,KAAK,IAAI;wBAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;oBACvE,IAAI,MAAM,KAAK,KAAK;wBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;gBAC3E,CAAC;gBACD,iEAAiE;gBACjE,IAAI,SAAS,KAAK,OAAO;oBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;gBAC1E,MAAM,OAAO,GAAG,OAAO,CACrB,MAAO,MAAuC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAC5E,CAAC;gBACF,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;YACvC,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,SAAS,KAAK,OAAO;gBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YAC1E,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QAC1E,CAAC;QAED,MAAM,IAAI,2BAA2B,CAAC,OAAO,CAAC,CAAC;IACjD,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,QAAmB;QACxD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,yEAAyE;YACzE,uEAAuE;YACvE,0EAA0E;YAC1E,qEAAqE;YACrE,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ;iBAC1B,GAAG,EAAE;iBACL,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,OAAQ,MAAkC,CAAC,OAAO,CAAC,KAAK,UAAU,CAAC,CAAC;YAC1F,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC3C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,yBAAyB,CACjC,OAAO,EACP,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAoB,CAAC,WAAW,EAAE,IAAI,IAAI,QAAQ,CAAC,CACxE,CAAC;YACJ,CAAC;YACD,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,qFAAqF;QACrF,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAyB,CAAC,CAAC;QAC9D,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC;CACF,CAAA;AA7SY,IAAI;IADhB,UAAU,EAAE;IASR,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,oBAAoB,CAAC,CAAA;IAE5B,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,gBAAgB,CAAC,CAAA;IAExB,WAAA,QAAQ,EAAE,CAAA;IAEV,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,mBAAmB,CAAC,CAAA;IAE3B,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,aAAa,CAAC,CAAA;qCAbK,cAAc,kBAQZ,SAAS;GAf7B,IAAI,CA6ShB;;AAED;;GAEG;AACH,MAAM,OAAO,SAAS;IAED;IACA;IAFnB,YACmB,IAAU,EACV,IAAe;QADf,SAAI,GAAJ,IAAI,CAAM;QACV,SAAI,GAAJ,IAAI,CAAW;IAC/B,CAAC;IAEJ,MAAM,CAAC,OAAe,EAAE,QAAmB;QACzC,OAAO,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,QAAmB;QAClD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,kBAAkB,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,OAAO,CAAC,IAAY;QAClB,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,qDAAqD;IACrD,UAAU,CAAC,KAAe;QACxB,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACvD,CAAC;CACF"}

package/dist/guard/roles.guard.d.ts

@@ -0,0 +1,21 @@
+import { type CanActivate, type ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Gate } from '../gate.js';
+/**
+ * Enforces `@Roles(...roles)` on routes.
+ *
+ * - No `@Roles` metadata → allow (the guard is inert on un-annotated routes).
+ * - Otherwise allow when the current user holds ANY of the listed roles.
+ *
+ * The current user is resolved EXACTLY as the {@link Gate} does — from the optional
+ * context accessor (nestjs-context) — and an unauthenticated request is denied by
+ * default (`gate.hasAnyRole` returns `false` for a NO_USER caller). The verdict is
+ * delegated to {@link Gate.hasAnyRole}; a denial throws `ForbiddenException`.
+ */
+export declare class RolesGuard implements CanActivate {
+    private readonly reflector;
+    private readonly gate;
+    constructor(reflector: Reflector, gate: Gate);
+    canActivate(ctx: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=roles.guard.d.ts.map

package/dist/guard/roles.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles.guard.d.ts","sourceRoot":"","sources":["../../src/guard/roles.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EAGtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAGlC;;;;;;;;;;GAUG;AACH,qBACa,UAAW,YAAW,WAAW;IAE1C,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,IAAI;gBADJ,SAAS,EAAE,SAAS,EACpB,IAAI,EAAE,IAAI;IAGvB,WAAW,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAS3D"}

package/dist/guard/roles.guard.js

@@ -0,0 +1,50 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { ForbiddenException, Injectable, } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Gate } from '../gate.js';
+import { ROLES_METADATA } from '../tokens.js';
+/**
+ * Enforces `@Roles(...roles)` on routes.
+ *
+ * - No `@Roles` metadata → allow (the guard is inert on un-annotated routes).
+ * - Otherwise allow when the current user holds ANY of the listed roles.
+ *
+ * The current user is resolved EXACTLY as the {@link Gate} does — from the optional
+ * context accessor (nestjs-context) — and an unauthenticated request is denied by
+ * default (`gate.hasAnyRole` returns `false` for a NO_USER caller). The verdict is
+ * delegated to {@link Gate.hasAnyRole}; a denial throws `ForbiddenException`.
+ */
+let RolesGuard = class RolesGuard {
+    reflector;
+    gate;
+    constructor(reflector, gate) {
+        this.reflector = reflector;
+        this.gate = gate;
+    }
+    async canActivate(ctx) {
+        const roles = this.reflector.getAllAndOverride(ROLES_METADATA, [
+            ctx.getHandler(),
+            ctx.getClass(),
+        ]);
+        if (!roles || roles.length === 0)
+            return true;
+        if (await this.gate.hasAnyRole(roles))
+            return true;
+        throw new ForbiddenException(`Unauthorized: requires one of [${roles.join(', ')}]`);
+    }
+};
+RolesGuard = __decorate([
+    Injectable(),
+    __metadata("design:paramtypes", [Reflector,
+        Gate])
+], RolesGuard);
+export { RolesGuard };
+//# sourceMappingURL=roles.guard.js.map

package/dist/guard/roles.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles.guard.js","sourceRoot":"","sources":["../../src/guard/roles.guard.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAGL,kBAAkB,EAClB,UAAU,GACX,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAClC,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C;;;;;;;;;;GAUG;AAEI,IAAM,UAAU,GAAhB,MAAM,UAAU;IAEF;IACA;IAFnB,YACmB,SAAoB,EACpB,IAAU;QADV,cAAS,GAAT,SAAS,CAAW;QACpB,SAAI,GAAJ,IAAI,CAAM;IAC1B,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,GAAqB;QACrC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAuB,cAAc,EAAE;YACnF,GAAG,CAAC,UAAU,EAAE;YAChB,GAAG,CAAC,QAAQ,EAAE;SACf,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC9C,IAAI,MAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnD,MAAM,IAAI,kBAAkB,CAAC,kCAAkC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACtF,CAAC;CACF,CAAA;AAfY,UAAU;IADtB,UAAU,EAAE;qCAGmB,SAAS;QACd,IAAI;GAHlB,UAAU,CAetB"}

package/dist/index.d.ts

@@ -1,16 +1,24 @@
 export declare const VERSION = "0.0.0";
 export { Gate, BoundGate } from './gate.js';
+export { AUTHZ_DECISION_CHANNEL, authzDecisionChannel, publishAuthzDecision, } from './diagnostics.js';
+export type { AuthzDecisionDiagnostic, AuthzDecisionReason } from './diagnostics.js';
 export { PolicyRegistry } from './policy-registry.js';
 export { Policy, getPolicyResource } from './decorator/policy.decorator.js';
 export { Can } from './decorator/can.decorator.js';
 export type { CanMetadata, CanOptions } from './decorator/can.decorator.js';
+export { Roles } from './decorator/roles.decorator.js';
 export { CanGuard } from './guard/can.guard.js';
+export { RolesGuard } from './guard/roles.guard.js';
 export { AuthzModule } from './module.js';
+export { createCanController, DEFAULT_CAN_ENDPOINT_PATH, } from './can-endpoint.controller.js';
+export type { CanRequestBody, CanResponseBody } from './can-endpoint.controller.js';
 export { IdParamResourceResolver } from './resource-resolver.js';
 export type { ResourceResolver } from './resource-resolver.js';
 export type { ContextAccessor, ContextStore, UserRef } from './context-accessor.js';
 export type { PermissionProvider } from './permission-provider.js';
-export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, } from './tokens.js';
+export { defaultRoleResolver } from './role-provider.js';
+export type { RoleProvider, RoleResolver } from './role-provider.js';
+export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, RESOURCE_HYDRATOR, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, ROLE_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, ROLES_METADATA, } from './tokens.js';
 export { AuthzException, PolicyNotDecoratedException, AbilityNotResolvedException, AmbiguousAbilityException, ResourceResolverMissingException, } from './errors/exceptions.js';
-export type { AuthzModuleOptions, AuthzModuleAsyncOptions, AuthzModuleOptionsFactory, GateFn, PolicyBeforeHook, PolicyInstance, PolicyMethod, Resource, SuperAdminHook, User, } from './types.js';
+export type { AuthzModuleOptions, AuthzModuleAsyncOptions, AuthzModuleOptionsFactory, GateFn, PolicyBeforeHook, PolicyInstance, PolicyMethod, Resource, ResourceLoader, ResourceLoaderMap, SuperAdminHook, User, } from './types.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,OAAO,UAAU,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC5E,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACpF,YAAY,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,wBAAwB,EACxB,YAAY,GACb,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,yBAAyB,EACzB,MAAM,EACN,gBAAgB,EAChB,cAAc,EACd,YAAY,EACZ,QAAQ,EACR,cAAc,EACd,IAAI,GACL,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,OAAO,UAAU,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACrF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC5E,OAAO,EAAE,KAAK,EAAE,MAAM,gCAAgC,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,mBAAmB,EACnB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAC;AACtC,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AACpF,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACpF,YAAY,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,wBAAwB,EACxB,YAAY,EACZ,cAAc,GACf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,yBAAyB,EACzB,MAAM,EACN,gBAAgB,EAChB,cAAc,EACd,YAAY,EACZ,QAAQ,EACR,cAAc,EACd,iBAAiB,EACjB,cAAc,EACd,IAAI,GACL,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -1,11 +1,16 @@
 export const VERSION = '0.0.0';
 export { Gate, BoundGate } from './gate.js';
+export { AUTHZ_DECISION_CHANNEL, authzDecisionChannel, publishAuthzDecision, } from './diagnostics.js';
 export { PolicyRegistry } from './policy-registry.js';
 export { Policy, getPolicyResource } from './decorator/policy.decorator.js';
 export { Can } from './decorator/can.decorator.js';
+export { Roles } from './decorator/roles.decorator.js';
 export { CanGuard } from './guard/can.guard.js';
+export { RolesGuard } from './guard/roles.guard.js';
 export { AuthzModule } from './module.js';
+export { createCanController, DEFAULT_CAN_ENDPOINT_PATH, } from './can-endpoint.controller.js';
 export { IdParamResourceResolver } from './resource-resolver.js';
-export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, } from './tokens.js';
+export { defaultRoleResolver } from './role-provider.js';
+export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, RESOURCE_HYDRATOR, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, ROLE_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, ROLES_METADATA, } from './tokens.js';
 export { AuthzException, PolicyNotDecoratedException, AbilityNotResolvedException, AmbiguousAbilityException, ResourceResolverMissingException, } from './errors/exceptions.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AAEnD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAIjE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,wBAAwB,EACxB,YAAY,GACb,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AAEnD,OAAO,EAAE,KAAK,EAAE,MAAM,gCAAgC,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,mBAAmB,EACnB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAIjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAEzD,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,wBAAwB,EACxB,YAAY,EACZ,cAAc,GACf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC"}

package/dist/module.d.ts

@@ -10,11 +10,24 @@ export declare class AuthzModule {
      * override / `idParam` knob from forRoot OR forRootAsync is honored.
      */
     private static resourceResolverProviders;
+    /**
+     * Bind the {@link RESOURCE_HYDRATOR} token to the resolved options'
+     * `resourceLoaders` map so the opt-in `POST /authz/can` endpoint can rehydrate a
+     * `{ type, id }` shim into the REAL entity before authorizing. Reads the resolved
+     * options so the map from forRoot OR a forRootAsync factory is honored. Resolves to
+     * `undefined` when no `resourceLoaders` are configured (endpoint behavior unchanged).
+     */
+    private static resourceHydratorProviders;
     /**
      * Provider that populates the {@link PolicyRegistry} on init (explicit policies
      * + auto-discovered `@Policy` providers). Registered for both forRoot/forRootAsync.
      */
     private static bootstrapProviders;
+    /**
+     * Build the opt-in `POST /authz/can` fallback controller (or none). Off by
+     * default; `true` mounts at the default path, a string mounts at that path.
+     */
+    private static canControllers;
     private static buildAsyncOptionsProvider;
 }
 //# sourceMappingURL=module.d.ts.map

package/dist/module.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAQnB,MAAM,gBAAgB,CAAC;AAQxB,OAAO,KAAK,EACV,uBAAuB,EACvB,kBAAkB,EAGnB,MAAM,YAAY,CAAC;AAmEpB,qBACa,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,OAAO,GAAE,kBAAuB,GAAG,aAAa;IA2B/D,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,uBAAuB,GAAG,aAAa;IAoBpE;;;;;OAKG;IACH,OAAO,CAAC,MAAM,CAAC,yBAAyB;IAWxC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,kBAAkB;IAIjC,OAAO,CAAC,MAAM,CAAC,yBAAyB;CA2BzC"}
+{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAQnB,MAAM,gBAAgB,CAAC;AAUxB,OAAO,KAAK,EACV,uBAAuB,EACvB,kBAAkB,EAInB,MAAM,YAAY,CAAC;AAmEpB,qBACa,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,OAAO,GAAE,kBAAuB,GAAG,aAAa;IAiC/D,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,uBAAuB,GAAG,aAAa;IAgCpE;;;;;OAKG;IACH,OAAO,CAAC,MAAM,CAAC,yBAAyB;IAWxC;;;;;;OAMG;IACH,OAAO,CAAC,MAAM,CAAC,yBAAyB;IAWxC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,kBAAkB;IAIjC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,cAAc;IAM7B,OAAO,CAAC,MAAM,CAAC,yBAAyB;CA2BzC"}

package/dist/module.js

@@ -13,12 +13,14 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
 var AuthzModule_1;
 import { Inject, Injectable, Module, Optional, } from '@nestjs/common';
 import { APP_GUARD, DiscoveryModule, DiscoveryService, ModuleRef } from '@nestjs/core';
+import { DEFAULT_CAN_ENDPOINT_PATH, createCanController } from './can-endpoint.controller.js';
 import { getPolicyResource } from './decorator/policy.decorator.js';
 import { Gate } from './gate.js';
 import { CanGuard } from './guard/can.guard.js';
+import { RolesGuard } from './guard/roles.guard.js';
 import { PolicyRegistry } from './policy-registry.js';
 import { IdParamResourceResolver } from './resource-resolver.js';
-import { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER } from './tokens.js';
+import { AUTHZ_MODULE_OPTIONS, RESOURCE_HYDRATOR, RESOURCE_RESOLVER } from './tokens.js';
 /**
  * Populates the {@link PolicyRegistry} at boot from explicit `policies: []` and
  * auto-discovered `@Policy`-decorated providers.
@@ -100,6 +102,7 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
             module: AuthzModule_1,
             global: true,
             imports: [DiscoveryModule],
+            controllers: AuthzModule_1.canControllers(options.canEndpoint),
             providers: [
                 { provide: AUTHZ_MODULE_OPTIONS, useValue: options },
                 ...policyProviders,
@@ -107,15 +110,20 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
                 Gate,
                 CanGuard,
                 { provide: APP_GUARD, useExisting: CanGuard },
+                RolesGuard,
+                { provide: APP_GUARD, useExisting: RolesGuard },
                 ...AuthzModule_1.resourceResolverProviders(),
+                ...AuthzModule_1.resourceHydratorProviders(),
                 ...AuthzModule_1.bootstrapProviders(),
             ],
             exports: [
                 Gate,
                 PolicyRegistry,
                 CanGuard,
+                RolesGuard,
                 AUTHZ_MODULE_OPTIONS,
                 RESOURCE_RESOLVER,
+                RESOURCE_HYDRATOR,
                 ...(options.policies ?? []),
             ],
         };
@@ -127,16 +135,28 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
             module: AuthzModule_1,
             global: true,
             imports: [DiscoveryModule, ...(options.imports ?? [])],
+            controllers: AuthzModule_1.canControllers(options.canEndpoint),
             providers: [
                 ...asyncProviders,
                 PolicyRegistry,
                 Gate,
                 CanGuard,
                 { provide: APP_GUARD, useExisting: CanGuard },
+                RolesGuard,
+                { provide: APP_GUARD, useExisting: RolesGuard },
                 ...AuthzModule_1.resourceResolverProviders(),
+                ...AuthzModule_1.resourceHydratorProviders(),
                 ...AuthzModule_1.bootstrapProviders(),
             ],
-            exports: [Gate, PolicyRegistry, CanGuard, AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER],
+            exports: [
+                Gate,
+                PolicyRegistry,
+                CanGuard,
+                RolesGuard,
+                AUTHZ_MODULE_OPTIONS,
+                RESOURCE_RESOLVER,
+                RESOURCE_HYDRATOR,
+            ],
         };
     }
     /**
@@ -154,6 +174,22 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
             },
         ];
     }
+    /**
+     * Bind the {@link RESOURCE_HYDRATOR} token to the resolved options'
+     * `resourceLoaders` map so the opt-in `POST /authz/can` endpoint can rehydrate a
+     * `{ type, id }` shim into the REAL entity before authorizing. Reads the resolved
+     * options so the map from forRoot OR a forRootAsync factory is honored. Resolves to
+     * `undefined` when no `resourceLoaders` are configured (endpoint behavior unchanged).
+     */
+    static resourceHydratorProviders() {
+        return [
+            {
+                provide: RESOURCE_HYDRATOR,
+                useFactory: (options) => options?.resourceLoaders,
+                inject: [{ token: AUTHZ_MODULE_OPTIONS, optional: true }],
+            },
+        ];
+    }
     /**
      * Provider that populates the {@link PolicyRegistry} on init (explicit policies
      * + auto-discovered `@Policy` providers). Registered for both forRoot/forRootAsync.
@@ -161,6 +197,16 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
     static bootstrapProviders() {
         return [AuthzPolicyBootstrap];
     }
+    /**
+     * Build the opt-in `POST /authz/can` fallback controller (or none). Off by
+     * default; `true` mounts at the default path, a string mounts at that path.
+     */
+    static canControllers(canEndpoint) {
+        if (!canEndpoint)
+            return [];
+        const path = typeof canEndpoint === 'string' ? canEndpoint : DEFAULT_CAN_ENDPOINT_PATH;
+        return [createCanController(path)];
+    }
     static buildAsyncOptionsProvider(options) {
         if (options.useFactory) {
             return {

package/dist/module.js.map

@@ -1 +1 @@
-{"version":3,"file":"module.js","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,OAAO,EAEL,MAAM,EACN,UAAU,EACV,MAAM,EAEN,QAAQ,GAGT,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACvF,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAyB,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAQtE;;;;;;;GAOG;AACH,IACM,oBAAoB,GAD1B,MACM,oBAAoB;IAEL;IACA;IACA;IAC0C;IAJ7D,YACmB,QAAwB,EACxB,SAA2B,EAC3B,SAAoB,EACsB,OAA4B;QAHtE,aAAQ,GAAR,QAAQ,CAAgB;QACxB,cAAS,GAAT,SAAS,CAAkB;QAC3B,cAAS,GAAT,SAAS,CAAW;QACsB,YAAO,GAAP,OAAO,CAAqB;IACtF,CAAC;IAEJ,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAW,CAAC;QAEhC,+EAA+E;QAC/E,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,CAAC;YACvD,IAAI,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBAAE,SAAS;YACpC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;YAC/D,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACtB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,CAAC;YACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAsC,CAAC;YAChE,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;gBAAE,SAAS;YACxD,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,CAAC;YAClC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACtC,IAAI,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,qBAAqB,CACjC,WAAiC;QAEjC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAiB,WAAW,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,6DAA6D;QAC/D,CAAC;QACD,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAiB,WAAW,CAAC,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;CACF,CAAA;AAtDK,oBAAoB;IADzB,UAAU,EAAE;IAMR,WAAA,QAAQ,EAAE,CAAA;IAAE,WAAA,MAAM,CAAC,oBAAoB,CAAC,CAAA;qCAHd,cAAc;QACb,gBAAgB;QAChB,SAAS;GAJnC,oBAAoB,CAsDzB;AAGM,IAAM,WAAW,mBAAjB,MAAM,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,UAA8B,EAAE;QAC7C,MAAM,eAAe,GAAe,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAa,CAAC,CAAC;QACvF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,CAAC;YAC1B,SAAS,EAAE;gBACT,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,OAAO,EAAE;gBACpD,GAAG,eAAe;gBAClB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE;gBACP,IAAI;gBACJ,cAAc;gBACd,QAAQ;gBACR,oBAAoB;gBACpB,iBAAiB;gBACjB,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;aAC5B;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,OAAgC;QAClD,MAAM,aAAa,GAAG,aAAW,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACrE,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QACtF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,EAAE,GAAI,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAqB,CAAC;YAC3E,SAAS,EAAE;gBACT,GAAG,cAAc;gBACjB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE,CAAC,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,oBAAoB,EAAE,iBAAiB,CAAC;SACnF,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACK,MAAM,CAAC,yBAAyB;QACtC,OAAO;YACL;gBACE,OAAO,EAAE,iBAAiB;gBAC1B,UAAU,EAAE,CAAC,OAA4B,EAAoB,EAAE,CAC7D,OAAO,EAAE,gBAAgB,IAAI,IAAI,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC;gBAC5E,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;aAC1D;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,kBAAkB;QAC/B,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAChC,CAAC;IAEO,MAAM,CAAC,yBAAyB,CACtC,OAAgC;QAEhC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,OAAO;gBACL,OAAO,EAAE,oBAAoB;gBAC7B,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAyB;aACvD,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO;gBACL,EAAE,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE;gBACzD;oBACE,OAAO,EAAE,oBAAoB;oBAC7B,UAAU,EAAE,KAAK,EAAE,OAAkC,EAAE,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE;oBACtF,MAAM,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;iBAC3B;aACF,CAAC;QACJ,CAAC;QACD,MAAM,YAAY,GAAG,OAAO,CAAC,WAA8C,CAAC;QAC5E,OAAO;YACL,OAAO,EAAE,oBAAoB;YAC7B,UAAU,EAAE,KAAK,EAAE,OAAkC,EAAE,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE;YACtF,MAAM,EAAE,CAAC,YAAY,CAAC;SACvB,CAAC;IACJ,CAAC;CACF,CAAA;AApGY,WAAW;IADvB,MAAM,CAAC,EAAE,CAAC;GACE,WAAW,CAoGvB"}
+{"version":3,"file":"module.js","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,OAAO,EAEL,MAAM,EACN,UAAU,EACV,MAAM,EAEN,QAAQ,GAGT,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACvF,OAAO,EAAE,yBAAyB,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAC9F,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAyB,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AASzF;;;;;;;GAOG;AACH,IACM,oBAAoB,GAD1B,MACM,oBAAoB;IAEL;IACA;IACA;IAC0C;IAJ7D,YACmB,QAAwB,EACxB,SAA2B,EAC3B,SAAoB,EACsB,OAA4B;QAHtE,aAAQ,GAAR,QAAQ,CAAgB;QACxB,cAAS,GAAT,SAAS,CAAkB;QAC3B,cAAS,GAAT,SAAS,CAAW;QACsB,YAAO,GAAP,OAAO,CAAqB;IACtF,CAAC;IAEJ,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAW,CAAC;QAEhC,+EAA+E;QAC/E,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,CAAC;YACvD,IAAI,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBAAE,SAAS;YACpC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;YAC/D,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACtB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,CAAC;YACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAsC,CAAC;YAChE,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;gBAAE,SAAS;YACxD,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,CAAC;YAClC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACtC,IAAI,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,qBAAqB,CACjC,WAAiC;QAEjC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAiB,WAAW,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,6DAA6D;QAC/D,CAAC;QACD,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAiB,WAAW,CAAC,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;CACF,CAAA;AAtDK,oBAAoB;IADzB,UAAU,EAAE;IAMR,WAAA,QAAQ,EAAE,CAAA;IAAE,WAAA,MAAM,CAAC,oBAAoB,CAAC,CAAA;qCAHd,cAAc;QACb,gBAAgB;QAChB,SAAS;GAJnC,oBAAoB,CAsDzB;AAGM,IAAM,WAAW,mBAAjB,MAAM,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,UAA8B,EAAE;QAC7C,MAAM,eAAe,GAAe,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAa,CAAC,CAAC;QACvF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,CAAC;YAC1B,WAAW,EAAE,aAAW,CAAC,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC;YAC5D,SAAS,EAAE;gBACT,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,OAAO,EAAE;gBACpD,GAAG,eAAe;gBAClB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,UAAU;gBACV,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE;gBAC/C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE;gBACP,IAAI;gBACJ,cAAc;gBACd,QAAQ;gBACR,UAAU;gBACV,oBAAoB;gBACpB,iBAAiB;gBACjB,iBAAiB;gBACjB,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;aAC5B;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,OAAgC;QAClD,MAAM,aAAa,GAAG,aAAW,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACrE,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QACtF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,EAAE,GAAI,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAqB,CAAC;YAC3E,WAAW,EAAE,aAAW,CAAC,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC;YAC5D,SAAS,EAAE;gBACT,GAAG,cAAc;gBACjB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,UAAU;gBACV,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE;gBAC/C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE;gBACP,IAAI;gBACJ,cAAc;gBACd,QAAQ;gBACR,UAAU;gBACV,oBAAoB;gBACpB,iBAAiB;gBACjB,iBAAiB;aAClB;SACF,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACK,MAAM,CAAC,yBAAyB;QACtC,OAAO;YACL;gBACE,OAAO,EAAE,iBAAiB;gBAC1B,UAAU,EAAE,CAAC,OAA4B,EAAoB,EAAE,CAC7D,OAAO,EAAE,gBAAgB,IAAI,IAAI,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC;gBAC5E,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;aAC1D;SACF,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACK,MAAM,CAAC,yBAAyB;QACtC,OAAO;YACL;gBACE,OAAO,EAAE,iBAAiB;gBAC1B,UAAU,EAAE,CAAC,OAA4B,EAAiC,EAAE,CAC1E,OAAO,EAAE,eAAe;gBAC1B,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;aAC1D;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,kBAAkB;QAC/B,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAChC,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,cAAc,CAAC,WAAyC;QACrE,IAAI,CAAC,WAAW;YAAE,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,OAAO,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,yBAAyB,CAAC;QACvF,OAAO,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC;IACrC,CAAC;IAEO,MAAM,CAAC,yBAAyB,CACtC,OAAgC;QAEhC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,OAAO;gBACL,OAAO,EAAE,oBAAoB;gBAC7B,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAyB;aACvD,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO;gBACL,EAAE,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE;gBACzD;oBACE,OAAO,EAAE,oBAAoB;oBAC7B,UAAU,EAAE,KAAK,EAAE,OAAkC,EAAE,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE;oBACtF,MAAM,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;iBAC3B;aACF,CAAC;QACJ,CAAC;QACD,MAAM,YAAY,GAAG,OAAO,CAAC,WAA8C,CAAC;QAC5E,OAAO;YACL,OAAO,EAAE,oBAAoB;YAC7B,UAAU,EAAE,KAAK,EAAE,OAAkC,EAAE,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE;YACtF,MAAM,EAAE,CAAC,YAAY,CAAC;SACvB,CAAC;IACJ,CAAC;CACF,CAAA;AAlJY,WAAW;IADvB,MAAM,CAAC,EAAE,CAAC;GACE,WAAW,CAkJvB"}

package/dist/permission-provider.d.ts

@@ -16,6 +16,8 @@ import type { Resource, User } from './types.js';
  *
  * `userRef` is the current user (whatever the app's auth layer produced; `undefined`
  * when anonymous). `permission` is the ability name passed to `gate.allows(...)`.
+ * `resource` is the dispatch target, when one was given; providers MAY ignore it —
+ * model-less, named-ability grants (e.g. the typeorm RBAC adapter) do.
  */
 export interface PermissionProvider {
     hasPermission(user: User, permission: string, resource?: Resource): boolean | undefined | Promise<boolean | undefined>;

package/dist/permission-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permission-provider.d.ts","sourceRoot":"","sources":["../src/permission-provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAEjD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,kBAAkB;IACjC,aAAa,CACX,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,QAAQ,GAClB,OAAO,GAAG,SAAS,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC;CACvD"}
+{"version":3,"file":"permission-provider.d.ts","sourceRoot":"","sources":["../src/permission-provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAEjD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,kBAAkB;IACjC,aAAa,CACX,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,QAAQ,GAClB,OAAO,GAAG,SAAS,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC;CACvD"}

package/dist/policy-registry.d.ts

@@ -19,5 +19,26 @@ export declare class PolicyRegistry {
     has(resource: Type<unknown>): boolean;
     /** All registered policies (for introspection/testing). */
     all(): PolicyInstance[];
+    /** All registered resource classes (insertion order). */
+    resources(): Type<unknown>[];
+    /**
+     * Enumerate the CLASS-LEVEL ability method names declared on each registered
+     * policy, keyed by resource class. Used by integrations that pre-resolve a
+     * user's class-level abilities (e.g. to share them as Inertia props).
+     *
+     * Walks the policy prototype chain and collects own function-valued members,
+     * excluding `constructor` and the reserved `before` hook. Inherited Object
+     * members are skipped.
+     *
+     * Only methods that take NO resource instance are included — heuristically,
+     * arity `<= 1` (just `user`, e.g. `create(user)` / `viewAny(user)`). An
+     * instance method like `update(user, post)` is excluded: dispatching it
+     * against the resource CLASS would call it with the class constructor as
+     * `post` and write a bogus class-level verdict.
+     */
+    classAbilities(): Array<{
+        resource: Type<unknown>;
+        abilities: string[];
+    }>;
 }
 //# sourceMappingURL=policy-registry.d.ts.map

package/dist/policy-registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"policy-registry.d.ts","sourceRoot":"","sources":["../src/policy-registry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD;;;GAGG;AACH,qBACa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA4C;IAEvE;;;OAGG;IACH,QAAQ,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI;IAStC,wEAAwE;IACxE,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,cAAc,GAAG,SAAS;IAIhE,+EAA+E;IAC/E,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAIzD,+DAA+D;IAC/D,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO;IAIrC,2DAA2D;IAC3D,GAAG,IAAI,cAAc,EAAE;CAGxB"}
+{"version":3,"file":"policy-registry.d.ts","sourceRoot":"","sources":["../src/policy-registry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD;;;GAGG;AACH,qBACa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA4C;IAEvE;;;OAGG;IACH,QAAQ,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI;IAStC,wEAAwE;IACxE,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,cAAc,GAAG,SAAS;IAIhE,+EAA+E;IAC/E,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAIzD,+DAA+D;IAC/D,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO;IAIrC,2DAA2D;IAC3D,GAAG,IAAI,cAAc,EAAE;IAIvB,yDAAyD;IACzD,SAAS,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE;IAI5B;;;;;;;;;;;;;;OAcG;IACH,cAAc,IAAI,KAAK,CAAC;QAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAAC,SAAS,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CAsB1E"}